Updating build to check for vulnerabilities (#1026)

Francisco-Gamino · web-flow · commit 89e839959cee · 2023-12-08T22:50:26.000-08:00
* Add Check-CsprojVulnerabilities.ps1 script

* Do not print report by default

* Add check for security vulnerabilities stage in the pipeline

* Update test projects dependencies
diff --git a/Check-CsprojVulnerabilities.ps1 b/Check-CsprojVulnerabilities.ps1
@@ -0,0 +1,62 @@
+param
+(
+    [String[]]
+    $CsprojFilePath,
+
+    [switch]
+    $PrintReport
+)
+
+if (-not $CsprojFilePath)
+{
+    $CsprojFilePath = @(
+        "$PSScriptRoot/src/Microsoft.Azure.Functions.PowerShellWorker.csproj"
+        "$PSScriptRoot/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj"
+        "$PSScriptRoot/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj"
+    )
+}
+
+$logFilePath = "$PSScriptRoot/build.log"
+
+try
+{
+    foreach ($projectFilePath in $CsprojFilePath)
+    {
+        Write-Host "Analyzing '$projectFilePath' for vulnerabilities..."
+        
+        $projectFolder = Split-Path $projectFilePath
+        
+        Push-Location $projectFolder
+        & { dotnet restore $projectFilePath }
+        & { dotnet list $projectFilePath package --include-transitive --vulnerable } 3>&1 2>&1 > $logFilePath
+        Pop-Location
+
+        # Check and report if vulnerabilities are found
+        $report = Get-Content $logFilePath -Raw
+        $result = $report | Select-String "has no vulnerable packages given the current sources"
+
+        if ($result)
+        {
+            Write-Host "No vulnerabilities found"
+        }
+        else
+        {
+            $output = [System.Environment]::NewLine + "Vulnerabilities found!"            
+            if ($PrintReport.IsPresent)
+            {
+                $output += $report
+            }
+            
+            Write-Host $output -ForegroundColor Red
+            Exit 1
+        }
+        Write-Host ""
+    }
+}
+finally
+{
+    if (Test-Path $logFilePath)
+    {
+        Remove-Item $logFilePath -Force
+    }
+}
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -49,6 +49,9 @@ steps:
 - pwsh: ./build.ps1 -NoBuild -Bootstrap
   displayName: 'Running ./build.ps1 -NoBuild -Bootstrap'
 
+- pwsh: ./Check-CsprojVulnerabilities.ps1
+  displayName: 'Check for security vulnerabilities'
+
 - pwsh: |
       $ErrorActionPreference = "Stop"
 
diff --git a/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj b/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj
@@ -13,6 +13,8 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.3" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageReference Include="xunit" Version="2.4.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5" />
   </ItemGroup>
diff --git a/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj b/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj
@@ -12,6 +12,8 @@
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5" />
     <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.4.0" />
     <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.8.0-2.final" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
   </ItemGroup>
 
   <ItemGroup>
